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(71) We, GRETAG AKTIENGESELL- 
SCHAFT, a company organised under the 
laws of the Confederation of Switzerland, of 
Althardstrasse 70, 8105 Regensdorf, Switzer- 
5 land, do hereby declare the invention for 
which we pray that a patent may be granted 
to us, and the method by which it is to be 
performed, to be particularly described in 
and by the following statement:- 

10 This invention relates to an identification 
process, using an identification card which 
bears two sets of machine-readable informa- 
tion and on which one set of information is 
stored in permanent form while the other 

15 set is stored in variable form. 

Identification cards are used for the 
machine identification of individuals, they 
are used as credit cards, identity cards, or 
for cash withdrawls from automatic cash dis- 

20 pensing machines and the like. The authen- 
ticity of the identification card is usually 
tested in a test station during a test opera- 
tion. 

A good identification card must have high 

25 security against forgery, i.e. security against 
copying by unqualified persons, e.g. to pre- 
vent unauthorised persons from entering re- 
stricted areas or to prevent cash from being 
withdrawn by unauthorised individuals. 

30 In the known systems, security against 
forgery is frequently achieved by making the 
identification cards difficult to produce, and 
then only with expensive apparatus, which is 
economic only if the cards are mass- 

35 produced and copies of individual cards are 
much too expensive. The information stored 
on the identification cards used with these 
systems is usually Axed. This has the follow- 
ing two disadvantages. Firstly, an organiza- 

40 tion using the identification system must 
obtain the cards in the finally coded form 
from the manufacturer and cannot re-code 
them themselves. This has an adverse effect 
on the secrecy of the system. Secondly, it is 

45 not possible to store on the identification 



cards variable data such as the account ba- 
lance of a cash account or the time balance 
in the case of flexible time systems. 

In another known system," the card infor- 
mation is contained in a magnetic track in 50 
readily recordable, readable and erasable 
form. It is easy for the user organization to 
carry out re-coding, but the security against 
forgery of the individual card is very low. It 
is increased by the card-holder introducing 55 
into the test station keyboard an individual 
secret identification number in addition to 
the card information so that a check can be 
made for agreement with the card informa- 
tion. 60 

The disadvantages here are that, firstly, 
the system is forgery-proof only if the secret 
identification number is not disclosed and, 
secondly, this identification number must be 
introduced into the keyboard for each iden- 65 
tification operation. 

In another known process for achieving 
good security against the forgery of identify 
cation cards, for example as described in 
Swiss Patent Specification No. 554 574, the 70 
readily variable main information is stored 
on a conventional recordable and erasable 
information track on the identification card, 
for example a magnetic track, and the per- 
manent and individual identification infor- 75 
mation which is difficult to forge is stored 
differently in another part of the card which 
is difficult to copy. This identification infor- 
mation is additionally stored in the magnetic 
track and during the test operation it is 80 
checked to see whether it agrees with the in- 
formation that is difficult to forge. Although 
additional storage of the individual identifi- 
cation information can be effected in a diffe- 
rent coding from that used for the informa- 85 
tion that is difficult to forge , or can be incor- 
porated in the main information, there is a 
permanent and detectable agreement be- 
tween the information stored'on the infor- 
mation track and the information stored in 90 
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the other form of storage, and proof against 
forgery is ensured only to a limited degree. 

The object of this invention is to obviate 
all these disadvantages. Identification cards 

5 are used with the two types of storage, first- 
ly maenetic track with readily variable infor- 
mation, and secondly forgery-proof type 
storage which is difficult to copy for perma- 
nent major information. 

10 The forgerv-proof information or selected 
parts thereof influence the readily variable 
information by means of crypto-technical 
methods so that it is not possible to detect 
any agreement between the two sets of in- 

15 formation and the readily variable informa- 
tion is, in effect, just as forgery-proof as the 
information which is difficult to copy. 

As a result of crypto-technical selection of 
small parts of the forgery-proof informa- 

20 tion, security against forgery is just as great 
as if all the forgery-proof information were 
used. 

The process according to the invention is 
characterised in that the variable informa- 
25 tion, hereinafter referred to as identification 
.information, is formed, when the card is 
made, by ciphering from at least selected 
parts of the permanent information on the 
card and a secret key information, and is 
30 stored on the card, and when the card is 
tested a test information is formed from the 
same selected parts of the permanent infor- 
mation and the secret key information and is 
tested for agreement with the identification 
35 information stored on the card. 

In a very effective variant of the process, 
the type of ciphering is changed on each new 
test operation so that no agreement can be 
detected between the two types of informa- 
40 tion stored in different ways on the identifi- 
cation card. 

The invention will be explained in detail 
hereinafter with reference to the exempli- 
fied embodiments illustrated in the drawings 
45 wherein:- 

Figures la and lb are diagrams showing 
the principle of an identification card in 
perspective (la) and in plan view (lb); 
Figure 2 diagrammatically illustrates a 
50 system for performing the process; 

Figure 3 is an enlarged detail of Figure 2; 
Figure 4 is a section on the line Iv-IV in 
Figure 3; 

Figure 5 is the bottom half of Figure 4; 
55 Figure 6 is a detail of Figure 4 with a scan- 
ning w device; 

Figures 7 and 8 show another exemplified 
embodiment in elevation and in plan view; 
and 

60 Figure 9 shows a detailed exemplified 
embodiment for performing the process. 

In Figures la and lb, magnetic track 2 is 
applied to an identification card 1, which in 
this case is shown as a CREDIT CARD, the 

65 track being scanned, recorded upon and 



erased by means of a magnetic head 3. The 
card also has a zone RF having a number of 
storage points R2 containing forgery-proof 
information IU. This lattei information can 
be read by means of a scanning head 67. 70 

The block schematic in Figure 2 diagram- 
matically illustrates a system for performing 
the method according to the invention, the 
storage points RZ being disposed in lines 
and columns of an X-Y coordinate system. 75 
By way of example, there are provided ten 
lines Yi to Yw and twenty columns Xi to X* 
of storage points RZ, giving a total of 200 
such points. Each storage point can contain 
106 bits, so that the entire forgery-proof in- 80 
formation on the card according to trus ex- 
emplified embodiment would be 2. 108 bits. 
The storage points RZ may be constructed 
as shown in Figures 3 to 5. The scanning 
head 67 for scanning the storage points RZ 85 
may be controlled by control information IS 
via line 50 so that the information of each 
individual storage point can be scanned. 

For line selection the scanning head is 
movable in the Y-direction by a stepping 90 
motor, while column selection is made 
through a time window as the card passes in 
the X-direction through a test station. Both 
line and column selection are controlled by 
the control information IS. 95 

All the information flows are shown by 
arrows in Figure 2. The input information at 
a crypto-computer 16 provided in a test sta- 
tion 52 is at least the code key information 
IEi taken from a code key store 17 and at 100 
least some of the forgery-proof information 
IU, in the form of input information IE:. 

This input information is used for com- 
puting the output information IA. which is 
stored in the form of magnetic information 105 
IM on the magnetic track 2 by means of the 
maenetic head 3 either directly or indirectly 
via'a mixer and comparator circuit 18. The 
coding makes it practically impossible to 
draw any conclusions as to the forgery-proof 1 10 
information IU from the magnetically 
stored information IM. 

Such conclusions are completely impossi- 
ble if additional input information IE> is fed 
to the crypto-computer 16 in the form of 115 
variable information IV generated in a 
generator 26. The variable information 
changes on each test operation, so that the 
output information lAi computed in the 
crypto-computer 16 and hence the magne- IJ) 
tically stored information IM are different 
after each test operation. Firstly the vanable 
information IV is introduced into the crvp- 
to-computer in the form of information IE.» 
durinc a recordins stage of the test opera- 12} 
tion, such information IEi participating in 
determining the output information IA, 
which is recorded on the magnetic track. 
Secondly, the variable information IV is re- 
corded directlv on the magnetic track via a 130 
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line 51 and another line 8. On the next test 
operation, it is then read out by means of 
the magnetic head 3 during the reading and 
test phase, and used as input information 
IEj for the crypto-computer 16 to form the 
output information IAi. 

These operations are described in detail 
hereinafter with reference to Figure 9. 

The variable information IV may be a 
consecutive serial number which is gener- 
ated in the generator 26 and assumes a new 
value on each test operation. The variable 
information IV may alternatively be date- 
time information taken from an electronic 
clock in generator 26. The variable informa- 
tion IV may be a random number which is 
taken from a noise or random generator or a 
pseudo-random generator in generator 26. 

Each individual identification card may 
contain forgery-proof information differing 
from all the others. This provides a very 
high degree of security since in such a case a 
forger would have to undertake the very 
considerable task of copying each individual 
identification card of an organization. 

Where the security requirements are not 
so strict, however, the forgery-proof infor- 
mation may be the same for all the identifi- 
cation cards, except for the card number, 
and this reduces the card production costs to 
some extent. Security is guaranteed by the 
pseudo-random selection of certain parts of 
the forgery-proof information by means of 
crypto-computers. 

Some of the forgery-proof information IU 
may be recognition information IDu, i.e. for 
example, a coded card number which differs 
from card to card. This information can be 
examined in a control station 32 in the test 
station 52. 

This recognition information could, for 
example, consist of the information of some 
of the 200 storage points RZ containing 10 6 
bits, e.g. storage point at intersection Xi, Yi 
in Figure 2. 

To increase the forgery-proof characteris- 
tics, information selected from storage zone 
RF by means of scanning head 67 could be 
used as additional recognition information 
to the permanent information IDu, in which 
case the control information IS for this 
selection would be output information IAi 
of the crypto-computer 16 obtained together 
with the permanent identification informa- 
tion IDu in the form of input information IE; 
to the crypto-computer 16. 

A forger would, therefore, have to copy 
not only a single storage point RZ but the 
entire card, since he does not know what 
storage point will be selected by the crypto- 
computer. 

Far more forgery-proof information can 
be applied to the identification card 1, i.e. 
2.10 s bits, for example, than can be proces- 
sed within a reasonable time. Nevertheless. 



the full security offered by the large and 
complete quantity of information can be 
utilised. For example, using the variable in- 
formation IV in the form of input informa- 
tion IEj to the crypto-computer 16, naturally 70 
in conjunction with the code key informa- 
tion IEi, it is possible to compute output in- 
formation IAi which, by controlling the 
scanning head, selects from one of the 200 
storage points RZ some of the forgery-proof 75 
information IU and makes it available as 
new input information IE* to the crypto- 
computer for computing the output infor- 
mation IAi. This partial information may, 
for example, be just the contents of a single 80 
storage point RZ selected in pseudo- 
random manner in this way, i.e. in this case 
approximately 0.5% of the total forgery- 
proof information. 

It is only necessary to scan and process 85 
the information of a single storage point 
RZ, and yet the security against forgery is as 
high as if all 200 storage points were taken 
into account, because the forger naturally 
does not know which storage point is 90 
selected in "random" fashion by the crypto- 
computer. 

Figure 3 is an enlarged detail of the identi- 
fication card 1 having just two reflex zones 
RZ shown only partially. These reflex zones 95 
RZ consist of a number of boundary sur- 
faces R* which extend over the width B of 
the zones and are separated from one 
another by boundary edges K. Separating 
zones TZ are provided between the indi- 100 
vidual reflex zones RZ. The size of a bound- 
ary surface R*. in the direction of arrow L 
may be 0.2 mm while the width B trans- 
versely thereof may be about 2 mm so that 
the reflex zone having 10 boundary surfaces 105 
forms a square measuring 2x2 mm 2 . 

The section through the identification 
card in Figure 4 shows that the card consists 
substantially of a top layer lb made from a 
plastic and a bottom layer la made from a 110 
similar material. The bottom layer bears the 
boundary surfaces R with corresponding 
boundary edges K which form the reflex 
zones RZ and are separated from one 
another by separating zones TZ. The under- 1 15 
side of the bottom layer la bears a magnetic 
track coating 2. The two card layers are 
rigidly connected. The top layer lb of the 
card must therefore either be a negative of 
the bottom layer la or must be applied in 120 
plastic or liauid condition to the bottom 
layer la without, however, changing the 
boundary surfaces R. The connection may, 
for example, be made by thermal ultrasonic 
welding at the separating zones TZ or by 125 
gluing the entire card surface. The connec- 
tion of the two layers of the card must in any 
case be such that subsequent separation can- 
not be carried out either mechanically or 
with solvents without damaging the bound- 130 




ary surfaces. 

Figure 5 is a section on the line V-V 
through the bottom card layer la (the top 
layer lb has been omitted from the figure 
5 for the sake of clarity) and, as already 
stated, the bottom layer is divided up into 
reflex zones RZ and separating zones TZ. 
The reflex zones in turn have a number of 
boundary surfaces Ri-Ri which are at diffe- 

10 rent angles 2, 4, 5 and n-1 to the card 
plane. The arrangement of boundary sur- 
faces R usually differs from one reflex zone 
to the next. In the exemplified embodiment 
illustrated, ten boundary surfaces each hav- 

15 ing four possible angle positions are provided 
per reflex zone, "and this means that 4 lu = 
10 6 reflex zones differing from one another 
are possible. Of course the number of 
boundary surfaces per reflex zone and the 

20 number of different boundary surfaces per 
reflex zone and the number of different 
boundary surfaces may differ from this ex- 
emplified embodiment. The reflex zones 
RZ with the basal surfaces R may each be 

25 made by means of a press die by pressing 
into the plastic in the plastic state or in a 
plastic injection process. In the exemplified 
embodiment, the top side of the bottom 
layer of the card is metallized, e.g. by 

30 vapour coating or electroplating, so that the 
boundary surfaces R are provided with a 
metal layer lc which reflects light. The met- 
al layer is removed in the area of the separ- 
ating zones TZ so that a plastic layer Id is 

35 available in these zones and hence ensures a 
good connection between the two cards. 

Figure 6 diagrammatically illustrates one 
exemplified embodiment of an optical scan- 
ning system for the identification card. The 

40 optical scanning system together with the re- 
cording and reading head 3 for scanning the 
magnetic track are installed in the test sta- 
tion through which the identification card 1 
passes in the direction of the arrow L for test 

45 purposes. A light source 5, e.g. a laser 
generator, delivers a fine beam of light 5a 
which falls on to the identification card and 
is reflected by the boundary surfaces R. to 
Rw. These boundary surfaces may. for ex- 

50 ample, have four different angular positions 
(Figure 5) so that the reflected beam of light 
5b may be at any one of four different angles 
<pi tos?4 in relation to the incident beam, 
photodiodes Pi - P* being provided to re- 

55 ceive the reflected beams. In the position of 
the card shown in Figure 6. the beam of light 
5a meets the reflecting boundary surface R* 
and is projected in the form of a reflected 
beam 56 on to the photo-diode P: which de- 
60 livers a photo-current to the distributor cir- 
cuit 7. As the reflex zone RZ in Figure 6 
passes beneath the scanning beam 5a. ten 
photo-current signals are delivered in sequ- 
ence by the four photo-diodes P. - P* 
65 according to the angular positions of the 



boundary surfaces Rrto R».», to the distribu- 
tor circuit 7 where they are amplified and 
are fed, for example, after binary coding 
each with a different 3-bit number per 
photo-diode, to the output 10 of circuit 7. 70 

Counting for the ten photo-current signals 
is started when the scanning beam 5a passes 
from the separating zone TZ, where there is 
no photo-current flowing, to the first bound- 
ary surface. The edges of the separating 75 
zones give a diffuse reflection. 

The four photo-diodes Pi to P* together 
with the light source 5 form the photo- 
scanning system 6 which can also traverse 
transversely of the direction of movement of °0 
the card to enable all the surface reflex 
zones to be scanned as described above. The 
photo-scanning system 6 together with the 
distributor circuit 7 forms the scanning head 
67 which scans the storage points RZ con- °* 
taining the forgery-proof Information IU. 

Despite all the forgery-proof methods de- 
scribed above, there is still a possibility of 
fraud in respect of a qualified card holder 
having a genuine individual identification 90 
card and using his individuak memorized 
identification number, in cases where the 
identification card is used for drawing cash 
by means of off-line cash dispensers in 
which the current account position is re- 95 
tained on the identification card in encoded 
form. 

To do this, before he draws the cash the 
authorised card holder need only copy on to 
magnetic tape the magnetically stored infor- 100 
mation which includes the current account 
position, and then draw cash from one of 
the dispensing machines in which the new 
reduced account position is simultaneously 
recorded in encoded form in the magnetic 10* 
track. He can then over-record on this infor- 
mation the magnetic tape copy correspond- 
ing to the higher account position, and then 
draw cash w from a second dispensing 
machine and so on. HO 

Of course this could be prevented if cash 
drawings were restricted to a specific 
machine, in which case the number of this 
machine would serve as further input infor- 
mation for the crypto-computer. Alterna- "* 
tively, a minimum time limit could be intro- 
duced between two cash drawing opera- 
tions, by means of the electronic clock deliv- 
ering the date-time information as a vari- 
able, and this minimum time limit would be 120 
operative until the account position has 
been communicated to all the off-line cash 
dispensers. 

All this is very complicated however, and 
it is therefore proposed that at least one of 125 
the reflex zones should be irreversibly 
erased after each individual card test to en- 
sure fraud-proof inspection via the number 
of card tests. 

As shown in Figures 7 and 8, this can be 130 
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effected by the card material containing a 
thermaloy blackenable substance used in 
thermographic printing. Triggered by an in- 
put 13, a pin 11a is heated in an erase head 
5 11 of a heater coil 12 and blackens and thus 
erases the reflex zone situated therebe- 
neath. The erase head 12 can be set to any 
desired reflex zone by the triggering of input 
13. 

10 Individual reflex zones may alternatively 
be erased by punching out, in which case the 
erase head 11 is replaced by a punch head. 

The erased reflex zones are also tested by 
means of the scanning hrad 67. In the case 

15 of 200 reflex zones, for example, 100 could 
be erased, i.e. 100 card tests can be carried 
out before the identification card requires 
replacement. 
Referring to Figure 9, irreversible erasure 

20 of storage points or reflex zones RZ con- 
taining the forgery-proof information is car- 
ried out by means of the erase head 11, 
starting at the bottom line Yi, one storage 
point RZ being erased during each test 

25 operation under the control of a first station 
32a of the control stage 32 by means of in- 
formation IL via input 13. The erase head 1 1 
is on storage point X* in line Yu 
On each test operation, under the control 

30 of the first station 32a, the scanning head 67 
will scan the line containing the erased stor- 
age points and feed it as further input infor- 
mation to the crypto-computer. In this way, 
the above described fraud is impossible, 

35 since information in the old magnetic track 
does not agree with the new information to 
be erased." 

In the method according to the invention, 
a considerable proportion of the security 

40 against forgery lies in the fact that selection 
of the forgery-proof information is deter- 
mined by a code key applied to a crypto- 
computer. 

This selection can readily be changed, 

45 firstly by means of the variable information 
IV, and secondly by changing the code key. 

Security against incorrect scanning of the 
identification cards can be ensured by the 
well-known redundancy methods such as 

50 multiple storage, fault-detecting or fault- 
correcting codes, and so on. Faulty scanning 
of the optically scannable forgery-proof in- 
formation due to soiling of one of the reflex 
zones RZ can be rendered inoperative by 

55 repeatedly scanning the card, a new reflex 
zone RZ being selected by the crypto- 
computer on each new scanning as a result 
of the action of the variable information. 
Identification and forgery-proof storage 

60 of variable data, e.g. sums of money or time 
balances will now be explained with refer- 
ence to Figure 9. Only one example of this 
will be described, but the invention is not 
restricted thereto. 

65 The example relates to very high security 



against forgery and in many practical cases 
some of the steps described can be omitted. 

For identification, a test operation con- 
sists of an identification phase followed by 
an input phase. Although the test operation 70 
starts in each case with the identification 
phase, the input phase will first be de- 
scribed. 

A selection switch 30 is set to position a 
by the first station 32a by means of informa- 75 
tion IC. Apart from the code key informa- 
tion IEi always available, the following are 
fed to the crypto-computer 16: 

Input information IEj from generator 26 
for the variable information IV; and 80 

the secret individual identification num- 
ber or memorised number from a keyboard 
25. 

The variable information IV is recorded 
in the form of magnetic information IM on 85 
the magnetic track by a recording head 3a of 
the magnetic head. The information 10 from 
the first station 32a acts as information IS to 
control the scanning head 67 so that the lat- 
ter scans the identification information IDu 90 
as part of the forgery-proof information IU 
(i.e. for example, reflex zone RZ with in- 
tersection point Xi, Y; in zone RF of 
forgery-proof information) and is fed on the 
one hand to the first station 32a and on the 95 
other hand as input information IE: to the 
crypto-computer 16, in which, together with 
the other input information, output infor- 
mation I A* is computed and, when selection 
swithc 30 is in position b, acts as control in- 100 
formation to re-position the scanning head 
67 in pseudo-random manner. Switch 30 is 
set to position c and the partial information 
read off by scanning head 67 is fed on the 
one hadn as further identification informa- 105 
tion IDu to the first station 32a and on the 
other hand as further input information IE: 
to the crypto-computer in which the output 
information IAi is computed and recorded 
in the form of magnetic information IM on 110 
the magnetic track. 

In the identification phase, the selector 
switch 30 is again initially at a. The indi- 
vidual identification numbers are intro- 
duced into the crypto-computer 16 as input 115 
information YE* by means of keyboard 25. 
The variable information recorded during 
the previous test operation is read out as 
magnetic information 1Mb from the magne- 
tic track 2 by means of a readout head 3b 120 
and is fed to the crupto-computer as input 
information IEj. The other operations up to 
generation of the output information IA. are 
the same as in the input phase. The output 
information 1Mb magnetically stored dunng 125 
the previous test operation is then read out 
with selection switch 30 in position c, fed to 
line 46 and compared in comparator 29 with 
the output information IA. generated in the 
crypto-computer during the identification 130 
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phase. The result of the comparison is iden- 
tity or non-identity and is available as infor- 
mation IDj at point 22. If there is identity, 
and if the identification information IDc is 
5 found to be correct in the first station 32a, 
then the identification is also considered Co 
be correct. In the first station 32a the identi- 
fication information IDu consisting of the 
forgery-proof information IU is stored for 

10 comparison for all the card-holders of the 
organization. 

The forgery-proof storage and amend- 
ment of variable data, such as sums of 
money or the like, on the identification card 

15 if effected normally after the identification 
processes during the test operation, and also 
comprises two stages. During a record 
stage, which follows the input stage, with 
the selection switch 30 in position d for ex- 

20 ample, the instantaneous state of the 
account is fed in the form of digital data 
from a second station 326 of the control 
stage 32 in the form of an input-output unit 
as information IDi to the crypto-mixer 27 of 

25 known type, in which it is mixed with the 
output information IA« produced by the 
methods described above, to give the 
cipher, and is fed via a line 48 as magnetic 
information IM, to the magnetic record 

30 head 3a and is recorded on the magnetic 
track in the form of a coded account ba- 
lance. 

During a read phase in the test operation 
following the identification phase, with 

35 selection switch 30 in position d, the 
ciphered account balance described in con- 
nection with the preceding test operation is 
read off from the magnetic track and fed as 
magnetic information 1Mb via line 44 to a de- 

40 code-mixer 28, in which it is decoded with 
the output information lAi produced by the 
method described above, and fed as the 
account balance in plain language to the 
second station 326. This account balance 

45 can also be checked for authenticity by pre- 
setting a number of zeros in the second sta- 
tion 326. 

The authenticity of the account balance 
can also be guaranteed, for example, as de- 
50 scribed in DOS 23 50 418, by using it, first- 
ly, as input information to the" crypto- 
computer 16 and, secondly, storing it in 
"plain language" on the magnetic track. In 
that case, output information IAi generated 
55 in the crypto-computer by means of the in- 
put information: 
Code key information IEi 
Forgery-proof information IE; 
Variable information IV 
60 Account balance ID. 

is stored as a crypto-number together with 
the account balance ID! on the magnetic 
track 2 of the identification card during the 
record phase. During subsequent examina- 
65 tion of the authenticity of tie account ba- 



lance during a read phase, the above-listed 
information is introduced into the crypto- 
computer and the resulting output informa- 
tion is checked for agreement with the 
stored crypto number. 70 

For cash withdrawals from a cash dis- 
pending machine, the keyboard 25 is then 
used for inputting a sum of money which is 
dispensed by the machine and which is de- 
ducted from the account balance in the ?5 
second station 326, the new account balance 
in coded form being retained on the magne- 
tic track in the record phase. 

Falsification of the account balance stored 
in ciphered form is impossible because the 80 
cipher is dependent upon the code key and 
on the forgery-proof card information. 

All the operations described are carried 
out digitally and electronically. 

The line points 8,9,10,19,20,50 corres- 85 
pond to those of the simplified block sche- 
matic in Figure 2. All the other operations 
not described in detail in the test station are 
controlled by the first station 32a by means 
of the control information 1ST. 90 

As already stated, the operations de- 
scribed apply to very high security require- 
ments and can be greatly reduced for many 
applications. For example, where security 
requirements are less stringent, the forgery- 95 
proof information can be omitted or" just 
one card number may be provided and the 
card information may be contained in the 
magnetic track. If requirements are some- 
what higher than this, just a single track, 100 
e.g. line Yi in Fieure 2 of forgery-proof in- 
formation could Be provided, for example, 
and be simultaneously scannable with the 
magnetic track during the period when the 
card passes through the test station. The 105 
forgery-proof information selected by the 
crypto-computer, by means of code key and 
variable information, could also serve as 
crypto-computer input information in order 
jointly to determine the output information 110 
IA. 

To eliminate errors during card scanning, 
the forgery-proof information may be stored 
in redundant error-correcting " codes of 
known type. For example, each storage 115 
point RZ could be tripled, being distributed 
over the card, and the two identical readings 
of the three being selected as the correct 
ones. 

Using the variable information, it would 120 
also be possible to carry out additional test 
operations if one such operation is unsuc- 
cessful, e.g., due to card soiling, a 
changeover to perfectly readable storage 
points being made by the pseudo-random 125 
selection of the forgery-proof information. 

All control operations and ciphering can 
be carried out by means of one or more mic- 
ro-processors, all the operations being in 
sequence as a result of the relatively slow 130 
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processes and the outlay reauired for con- 
trol of the test operations for nigher security 
will also be relatively small. 
WHAT WE CLAIM IS:- 
5 1. A process for coding and subsequent- 
ly testing an identification card having a first 
area in which machine readable information 
is stored in permanent form and a second 
area in which machine, readable information 

10 may be recorded and erased, the coding 
process comprising providing secret infor- 
mation, ciphering at least some of the per- 
manently recorded information with said 
secret information to provide identification 

15 informtion and recording said identification 
information in said second area; the testing 
process comprising providing secret infor- 
mation identical to that provided on coding 
the card, selecting ana machine reading 

20 from the card those areas containing the 
permanently recorded information used for 
ciphering to provide identification informa- 
tion, machine reading the identification in- 
formation recorded in said second area and 

25 comparing it with the identification informa- 
tion formed during the testing process. 

2. A process according to Claim 1, in- 
cluding using another set of extra informa- 
tion with at least some of the permanently 

30 recorded information and the secret infor- 
mation to form said identification informa- 
tion recorded in said second area, recording 
said another set of information in said 
second area and, on testing the card, 

35 machine reading said another set of infor- 
mation to form the identification informa- 
. tion used in said comparison. 

3. A process according to Claim 2, in- 
cluding forming selection information from 

40 cyphering the secret information with at 
least some of said another set of information 
and selecting said first areas under control 
of said selection information. 

4. A process according to Claim 1, in- 
45 eluding cyphering data information by the 

identification information and recording the 
ciphered data on the card and recovering 
the data information during testing by de- 
ciphering with the identification information 
50 read from the card. 

5. A process according to Claim 1, in- 
cluding irreversibly erasing some of the per- 
manent information from the card and uti- 
lising an erase information obtained from 

55 the erased state of the permanent informa- 
tion to form the identification information 
and the test information. 

6. A process according to Claim 2, in- 
cluding using a different serial number as 

60 the extra information on each test opera- 
tion. 

7. A process according to Claim 2, in- 
cluding using date-time as the extra infor- 
mation. 

65 8. A process according to Claim 2, in- 



cluding using random information as the ex- 
tra information. 

9. A pricess accordine to Claim 1, in- 
cluding using a predetermined part of the 
permanent information as recognition infor- 70 
mation containing the identity of the card- 
holder. 

10. A process according to any one of 
the preceding claims, characterised in that 
certain parts of the permanent information "75 
determined by the identification informa- 
tion are used as recognition information. 

11. A process according to Claim 1, 
wherein the permanent information on the 
identification card is represented by a spa- 80 
tial arrangement of a plurality of optical re- 
flex surfaces which are embedded in the 
card and which are not accessible to mecha- 
nical scanning, and all the other information 

is stored on a magnetic track. 85 

12. A process according to Claim 11, 
wherein groups of reflex surfaces are com- 
bined into reflex zones and at least one of 
these zones is selected by the selection infor- 
mation for ciphering. 90 

13. Identification apparatus using iden- 
tification cards bearing two sets of machine- 
readable information, one set being stored 
in permanent form and the other in variable 
form, and comprising a production and test 95 
station for the identity card, said station 
comprising first means for reading the per- 
manent information, second means for 
reading the variable information and first 
recording means for variable storage of in- 100 
formation on the identification cards, and 

an evaluation stage cooperating with the 
two reading means and the first recording 
means wherein the evaluation means and 
the first recording means wherein the eva- 105 
luation stage contains a store for a secret 
key information, a decision stage and a 
crypto-generator which generates a first out- 
put information from the secret key infor- 
mation stored in the store and the perma- 110 
nent information read off from each card by 
the first reading means, the decision stage 
during card testing tests the first output in- 
formation as test information to see whether 
it agrees with the variable information read 1 15 
off as identification information from the 
card by the second reading means and when 
a card is made out the recording means store 
the first output information in the form of 
identification information on the card. 120 

14. Apparatus according to Claim 13, 
wherein the evaluation stage comprises a 
generator which is connected to the crypto- 
generator and which is intended to produce 
extra information which varies from one test 125 
to another, said apparatus including second 
recording means for storing this extra infor- 
mation on the identification cards and third 
reading means which read the extra infor- 
mation from the identification cards, and 130 
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wherein the crypto-generator generates the 
first output information from the key infor- 
mation, the permanent information read off 
by the first reading means, and the extra in- 
5 formation read off by the third reading 
means. 

15. Apparatus according to Claim 14, 
wherein the second and first recording means 
and the second and third reading means are 

10 identical. 

16. Apparatus according to Claim 13, 
including means connected to the crypto- 
generator to feed memory information to 
the crypto-generator, and the latter takes 

15 this memory information into account when 
generating the first output information. 

17. Apparatus according to Claim 14, 
including means for selecting parts of the 
permanent information stored on the cards, 

20 and wherein the crypto-generator generates 
a second output information from the secret 
key information and from the extra informa- 
tion read off by the third reading means, 
and on the basis of this second output infor- 

25 mation the selection means select the parts 
of the permanent information. 

18. Apparatus according to Claim 14, 
wherein the card making and test station 
comprises an input and output stage for data 

30 information, a crypto-mixer and the crypto- 
generator, said mixer ciphering the data in- 
formation by means of the first output infor- 
mation, third record means for storing the 
ciphered data information on the identifica- 

35 tion cards, fourth reading means for reading 
the ciphered data information stored on the 
identification cards, and a decipher-mixer 
which is triggered by the fourth reading 
means and the crypto-generator and which 

40 is connected to the input and output stage 
and which, by means of the first output in- 
formation, deciphers the ciphered data in- 
formation read off by the fourth reading 
means and passes it to the output and input 

45 stage. 

19. Apparatus according to Claim 18, 



wherein the second and the fourth reading 
means and the first and third recording 
means are identical. 

20. Apparatus according to Claim 19 or 50 
20, wherein the input and output stage is a 
cash dispensing machine with an account ba- 
lance device, and has input means by means 

of which it is possible to input the value of a 
sum of money to be drawn from a credit 55 
account defined by the identification card, 
the account balance device feeds to the 
crypto-mixer in the form of data informa- 
tion the account balance revised after the 
withdrawal, and before any payment is 
made said device compares the old account 
balance read off from the identification 
cards and deciphered by the decipher-mixer 
with the amount of the input sum of money 
to be withdrawn, and prevents any payment $5 
from being made if such sum is greater than 
the account balance. 

21. Apparatus according to Claim 13, 
wherein the card making and testing station 

has a selection stage which selects parts of 70 
the permanent information as identification 
information. 

22. Apparatus according to Claim 13, 
wherein the card making and testing station 

has an erase head and positioning means for 75 
the erase head, such means irreversibly 
erasing parts of the permanently stored card 
information which are selected on each test 
on an identification card. 

23. A process according to any one of 80 
Claims 1- 3, wherein memorized informa- 
tion is additionally used to form the identifi- 
cation information. 

TREGEAR, THIEMANN & BLEACH, 

Chartered Patent Agents, 85 

Enterprise House, 
Isambard Brunei Road, 
Portsmouth POl 2 AN 
-and- 

49/51, Bedford Row, 90 
London, WC1V 6RU 
Agents for the Applicants 
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